Windows2003 Webshell Default Permissions

0x00 Preface
0x01 Windows2003 Default configuration
0x02 Windows2003 Typical configuration permissions
Conditions for 0x03 cmd operation

0x00 Preface
This chapter is mainly about the default permissions we have just got Webshell, this chapter is mainly focused on, we often have to invade the permission of a site, get the so-called Webshell, he exactly under Windows What kind of default permissions.
Many people although through some known loopholes to take a small website, such as upload some Trojan horse, get Webshell, but also said they will hang Trojan, such as modify the homepage of the website, add a trojan on top, let others kind far control, play in that.
But he still do not understand himself to take this webshell what role, he can have what kind of authority, so some friends ask my question is a bit don't know how to answer-.
For example, some very classic questions, I took a webshell how can I open Remote Desktop? Do you want to upload a direct control and execute the cmd command? Why can't I do it? How do I open Remote Desktop. --I'm going to take a look at some of my friends ' frequently asked questions about it. (This lesson, estimated after writing JSP and PHP do not have to write, uh.--for the moment or not, sell a xiaoguanzi. )
How to solve these problems, first we have to understand the authority of the Webshell, through the two chapters of the study, we should understand that all of our access to the IIS-built site, the default is the Users group [this is the default], with the IIS iusr_* anonymous account [ Which anonymous account? Can be said to be clear, with a] to visit. That is to say, our Webshell permissions are the same as him, the default is the Users group or the Guests group [this is not accurate, the default is the users, down the right is the guest] (in the case of falling right), this is a basic understanding. Then, let's talk about the specific permissions we have, such as the previous two chapters, about access to disk, and so on, which we'll cover in this chapter.
This is how we put ourselves in that environment, assuming that we are the Webshell, what permissions we have.
This kind of understanding is more specific, previously described is, than a large range of those who speak windows, what permissions, including what Administrator account, System account, and a variety of management groups. Actually, we're really playing with cyber security. The hacker Trojan, Webshell, including elevation of privilege, really want to deal with is a Web server software default user access permissions.

This chapter we stand in a webshell angle to see what permissions we have, the main content of this chapter is to introduce the configuration, and the typical configuration of the Webshell permissions, including read, write, execute, and some extended permissions, run CMD.

0x01 Windows2003 Default configuration

Default settings

The first difference! By default, IIS is not installed under WINDOWS2003

Here to say the default windows2003 installed after the default is not installed IIS, and WINDOWS2K is not the same, 2K installed after the installation will automatically install a IIS5, which will bring a hidden danger of installation, there is a IIS5 remote overflow right of the vulnerability, there seems to be write permissions [Is this to see if WebDAV is open?] ], as long as you know that a Web server is installed IIS5, and this server is in the network, you can try to use the IIS5 remote Overflow vulnerability to get the permissions of this machine. or write Webshell with Iiswrite, and then right him. (Write to open WebDAV)

• Only static HTTP servers are installed by default
The default installation of IIS 6.0 is set to only install static HTML pages to display the required components, and not allow dynamic content, said the straightforward point, that can only parse the HTM, HTML and other static Web pages, but not the ASP, ASA and other dynamic Web pages [this is added].
In IIS Manager, click Web Service extension to allow active Server pages so that dynamic Web pages can be parsed. [Plus]
　　
• Enhanced file access Control www.2cto.com
Anonymous accounts no longer have write access to the Web server root. In addition, FTP users are isolated from each other in their own root directory. These restrictions effectively prevent users from uploading unwanted programs to other parts of the server's file system. For example, an attacker could upload some harmful executable code to the/scripts directory and execute the code remotely to attack the Web site
　　
Parent directory is disabled
Access to the parent directory is disabled by default in IIS 6.0. This prevents attackers from crossing the directory structure of the Web site and accessing other sensitive files on the server, such as the Sam file. Note, of course, that because the parent directory is disabled by default, this can cause some applications migrated from earlier versions of IIS to fail because of the inability to use the parent directory. [Most real-world environments are enabled]
　　
Upholding the principle of least privilege
IIS 6.0 adheres to a basic security principle – the principle of least privilege. That is, all code in HTTP. SYS is executed with local system permissions, and all worker processes are performed with the permissions of the network service. The Network service is a newly built-in account in Windows 2003 that is heavily restricted. In addition, IIS 6 allows only administrators to execute command-line tools to avoid malicious use of command-line tools. These design changes have reduced the likelihood of attacking the server through potential vulnerabilities. Some of the fundamental design changes, some simple configurations, including canceling anonymous users ' write access to the Web server's root directory, and isolating the FTP user's access to their respective home directories, greatly improve the security of IIS 6.0.

　　
0x02 Windows2003 Typical configuration permissions
　　
　　
1. Disk Permissions
system disk and all disks only give full control to the Administrators group and system
System disk \documents and Settings directory only gives full control to Administrators group and system
System disk \documents and Settings\All The Users directory only gives full Control permissions to Administrators group and system
The system disk \inetpub directory and all of the following directories, files only give full control to the Administrators group and system
System disk \windows\system32\cacls.exe, Cmd.exe, Net.exe, net1.exe files only give full control to the Administrators group and system
　　
2. Do not use the default Web site and separate the IIS directory from the system disk if you use it
　　
IIS default created inetpub directory will be deleted [statement not fluent] (on the disk where the system is installed)
　　
3. Each individual to be protected (such as a Web site or a virtual directory) creates a system user that has the unique ability to set permissions on the system.
What does that mean, a website an account, when we invade the virtual host, there is a method called the side note, I believe you must know that the previous use of the side note to invade the virtual host speed is not generally fast, as long as in dozens of sites invaded one of the sites, and then find his directory, can cross the past, Write your horse to complete this invasion.
But in an individual who needs protection, create a system user, in which case an account corresponds to a Web site, a directory, in which case, your next note will expire [need to configure the permissions of each account to not cross the directory]. Or if it's hard to use, why? Because you own an account, such as a station a account, then a account can only be in the a station directory activities, you can not run to the directory B station, because you do not have this permission. B Station the same, he has a B user, he can not run to a station to activities. [This needs to be configured separately]
At this time, if we want to penetrate into the target site through the side note, we need to try some methods to make the right [modified], after the success, then the [ability to] the target station to modify the home page.
Some just learn to mention the right, perhaps in a more fortunate time encountered some do not set the directory of the administrator, so the use of the side note, invaded the other station, when encountered will set security permissions of the administrator, he invaded the B station, know the path of a station, but just jump not over, that is because you do not have this permission.
Under the typical WEBSEHLL, for this station has, reads, writes, modifies, the permission, the directory has the relative execution permission.
It can be in the specified folder, look at his files, write to his files, you can also modify and delete its files, such as you can execute a part of the cmd command, such as some of the sniffer tools command, these are relative. [whether to allow execution, is to see the specific configuration, the default is allowed] (generally in the web directory is not allowed to execute the PE file said)

Conditions for 0x03 cmd operation

Under IIS users, the IIS user ASP Trojan executes some CMD commands that require WScript (wscript.shell/shell.application) support.

And the ASPX Trojan such as Aspxspy is called [IS. NET, not aspx].net components, online users have provided a way to prevent ASPX run CMD is to prohibit the process name of W3wp.exe run any external exe file. (--Do not know which great God can bypass this and then use CMD to execute commands?)
Well, probably just say it. Say too much I will struggle behind.
If this article above, there are typos or some other statements do not pass/explain the wrong. Please contact me,--so that the house to learn a bit.

Thanks to Yangfan, thanks to Spy4man, thanks to the Jenjo of Jan 0.0 for my answer.

Author: Little Darling &mix0xrn
From:http://www.dis9.com

Windows2003 Webshell Default Permissions